Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH 3.5 Released

Posted by timothy on from the vavavoom dept.

Dan writes "Markus Friedl announces that OpenSSH 3.5 has just been released with notable updates since 3.4. It will be available from the mirrors listed at http://www.openssh.com/ shortly. Enhancements include bug fixes, improved support for Privilege Separation (Portability, Kerberos, PermitRootLogin handling), RSA blinding in order to avoid timing attacks against the RSA host key and much more. Congratulations are in order for the OpenSSH team's hard work and efforts."

15 of 140 comments (clear)

  1. Wait a while... by carlmenezes · · Score: 3, Insightful

    Wait a while to see if any errors/security holes pop-up. THEN go out and download it. Chances are you've already patched the version you have. Don't replace it with the new one until you're sure that's a good thing. It'll just save you a lot of extra work.

    --
    Find a job you like and you will never work a day in your life.
    1. Re:Wait a while... by zeekiorage · · Score: 2, Insightful

      With warnings like this, nobody will upgrade and no errors/security holes will come out ;).

      I think if you check the MD5/PGP signatures you should be fine.

    2. Re:Wait a while... by evilviper · · Score: 4, Insightful

      That is the most ridiculous philosophy...

      The S/Key exploit wasn't discovered until about 4 releases later. If a piece of software is exploitable, there's no magic formula that will result in you getting it after all the bugs have been fixed.

      It makes some sense for Windows, since everything is secret until a release, and is thrown upon the world in an instant, getting spread far and wide to different enwironments. So, bugs are found, but still doesn't help in the security department.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  2. Slow Down by Anonymous Coward · · Score: 4, Insightful

    If you do not have concerns with running the latest 3.4, do yourself a favor and let the 3.5 release wait for a few days. OpenSSH has actually become one of those apps I worry about now, joining the ranks of Sendmail and BIND. What a shame...when software designed solely for the purpose of increasing security cannot be trusted, what is left? Trust nothing I suppose.

    1. Re:Slow Down by erik+umenhofer · · Score: 4, Insightful

      It's not the software that having the security problem, it was a hacked server serving up the software and people not checking thier checksums. Don't blame the software when you didn't check your sum.

    2. Re:Slow Down by pope+nihil · · Score: 2, Insightful

      I'd like to point out that the security record of OpenSSH is much better than sendmail or bind. Having a bug like this only once in a while is better than average.

    3. Re:Slow Down by Anonymous Coward · · Score: 1, Insightful

      This isn't true; there were a number of versions of ssh with remote compromises before 3.4.

      On the other hand, its track record is still better than both sendmail and bind. And what else are you going to use? Telnet? VNC? Terminal Server? They all have worse problems.

    4. Re:Slow Down by oh · · Score: 5, Insightful

      Because Privlidge Seperation is in there, even a serious bug will (now) only result in a compromise of a non-privlidged user account.

      That's enough to negate any concerns.


      I've heard this argument before, and I don't think it holds water.

      Firstly, do you patch all local privilege escalation vulnerabilities as quickly as you patch remote vulnerabilities? I know I don't.

      Even if there are no local vulnerabilities, they can still scan you system for useful information. They can then use you system to attack other systems from behind you firewall. Do you have a local firewall rule that disallows all outbound connections?

      We had a presentation from a (proxy) firewall vendor that used a hardened OS. They were very proud that each proxy ran in its own little sand-box. The mail outside mail daemon could only access port 25 on the outside NIC, and could only pass email to the inside daemon via a shared spool directory. Their OS prevented any other access from that process.

      Whenever we asked about a specific version of a daemon, they would refer to this sand-boxing and tell us that it wouldn't matter if a particular proxy was hacked out, there was no way the hacker could break through the firewall.

      The company I worked for ran one of the largest (top 10, maybe top 5) web sites in our country. There would have been maybe a dozen other websites with similar bandwidth, and maybe the same number of ISPs. We had to sit down an carefully explain to these sales people that even if the hacked proxy could only access one port on the outside NIC of the firewall, it could DOS almost any other site in the country.

      They left that presentation with worried looks on their faces, and promised to get back to us with the version numbers we were asking for.

      Moral of the story: Any malicious use of you systems is a bad thing. "Privilege Separation" may stop them from rooting the box running OpenSSH, but a malicious hacker could still do a lot of damage.

      --
      Democracy isn't about no one telling you what to do. It's about everyone telling you what to do.
    5. Re:Slow Down by EvilAlien · · Score: 3, Insightful

      The moment you start trusting without question is the moment you should give up paying attention to security. Trust is a vulnerability.

      --
      perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
  3. Re:Check those MD5s! by MrWa · · Score: 3, Insightful

    I know this is a good idea, but if someone were to put a trojan in the OpenSSH code...how much harder would it be to put an MD5 that matches the modified code?

  4. Where is the public key to check the sig? by Anonymous Coward · · Score: 1, Insightful

    I can't seem to find a link to openssh.com's public key. I'd like tp putz about with this new version tonight, but I'm not putting it on any server until I can get its contents verified...

    So... any ideas where it might be found?

    1. Re:Where is the public key to check the sig? by rweir · · Score: 3, Insightful

      If I'm paranoid enough to verify the signature, do you really think I'll be using the key someone posted on Slashdot?

  5. Sigh by starseeker · · Score: 5, Insightful

    I see some highly moderated comments that are saying that ssh is no longer to be trusted, and what's left now?

    My contention is that there NEVER WAS any software as secure as these people seem to have though ssh was, and there never will be. It's just too complex a game, and there are people who seem to live on nothing but attacking systems. Given that combination, there will be weaknesses found, as long as humans are a part of the development equation.

    The situation has been improperly defined by the assumptions we've apparently made. Don't expect UNCRACKABLE software - that's just silly. What we have seen with openssh/openssl is exactly what we should be seeing - inevitable problems being openly discussed and fixed quickly. What if someone were to put a trojaned MS update onto one of Microsoft's servers? Would we even know for months? This kind of crap happens. It's part of the cost and reality of using computers.

    Take the rash of reports of vulnerability as a GOOD thing - it's better to know and fix, than wait for a black hat to find it. Of course we try to code and design to avoid weeknesses, but the reality is that life doesn't work like that, and we need to be ready to handle the problems that crop up. Whether or not this is an indication of a design flaw in ssh doesn't really matter either - that can also be fixed. That's what ongoing development is all about.

    So don't diss SSH too much. Constructive discussion only, please. Remember, it's free, it helps, and it's only getting better. If you don't think it's good enough, help them! You can, you know - open source at it's best.

    --
    "I object to doing things that computers can do." -- Olin Shivers, lispers.org
  6. Re:Too much change? by PigleT · · Score: 2, Insightful

    Your sysadmins are obviously pillocks if they either (a) believe everything in a version banner or (b) don't understand that it's better to have a fixed bug than a multitude of unknown bugs.
    Time to update the CV...

    --
    ~Tim
    --
    .|` Clouds cross the black moonlight,
    Rushing on down to the circle of the turn
  7. Re:MD5 is just a hash... by dmiller · · Score: 3, Insightful

    But, on the other hand, Damien miller's key has no sigs on it, so there's no reason for us to believe that it really belongs to him..

    The key has been pretty widely distributed and has been used to sign OpenSSH releases since nearly day 1 (I used a pgp2.6 key for some of the earlier releases IIRC).

    If the key were to suddenly change, it would be noticed (note that this is exactly the trust model that sshd host keys use).

    I would like to get some signatures on the key, but haven't had much opportunity. Hopefully I'll get off my behind and go to the next Asia-Pacific IETF conference and get some sigs there.